We always think that the best protection against web-distributed malware is to exercise caution while browsing. But what if you aren’t even browsing in the classic sense, and an application renders a malware infested page? I found out this morning.
I grabbed my first cup of coffee this morning and launched the Windows 10 MSN News app. I’d been reading stories for about 30 minutes when a story in my “Microsoft” search tab caught my eye: “Microsoft Issues Black Friday Malware Warning”. It showed as being from the International Business Times, not one of the obscure sites that MSN News sometimes picks up. I clicked on the tile and started reading. Suddenly my Surface Book 2 started talking. The coffee wasn’t yet working so I couldn’t quite make out what was being said, but I thought “%^*%” auto-play video, so I clicked the back arrow to get rid of the page. The woman with the English accent didn’t stop talking. I killed MSN News, still she droned on. I clicked on Edge and there it was, the MSN News article had somehow launched a browser tab with some kind of phishing/ransomware/malware site.
What the woman was saying was something about my computer was found to have “pornographic malware” and that I had to contact them. I saw that the web page had a phone number on it, and darn but I was too busy trying to kill this to write it down. On top was a modal dialog box:You’ll notice there is no checkbox for “prevent web page from launching dialog boxes”, or whatever Edge says. I killed the dialog box and saw that underneath was another dialog box with that checkbox. But before I could check it the above dialog box was back. At one point I did check it in time, only to have the web page try to go to full screen mode. Fortunately Edge let me block that. So this second dialog was apparently a fake as well.
Unable to do anything to kill this from within Edge I launched Task Manager. I really wanted to keep my other tabs so I tried killing just the process for the malicious one. It didn’t work, it just kept re-launching. I killed the top level process, re-launched Edge, and killed the malicious tab without opening it. Nope, that wasn’t enough. The malicious page came back to life. I went through the whole thing again and this time clicked on the tab to start fresh. Then I went into settings and cleared everything. This finally seemed to stop it.
Next came a scan, then an offline scan, with Defender. I followed that up with a Malwarebytes scan. Nothing. It looks like Edge managed to keep this beast from breaking through and making system changes, but I’m not confident about that yet. I’m going to take a deeper look before declaring victory.
Maybe the worst part of this is I have no way to report it to Microsoft, or anyone else. I couldn’t copy the offending URL from the address bar because of the modal dialog. And I discovered that when you go into Edge’s browser history you can either re-launch the page or delete the history item, but you can’t Copy the link. I spent some time looking around to see if Edge stored history in human readable format, but eventually gave up. I don’t see a way to report the bad story in MSN News, but now I’ll go try to find it elsewhere.
Bottom line: Don’t think that good browsing habits will save you. I’ve been using the MSN News app since it was first released with Windows 8, with this being the first malicious story I’ve found. And it was an infected web page on a mainstream site.
Update (11AM Eastern): I scanned the IBT web page for this story using several tools, such as Virustotal, and came up blank on any malware. So I viewed the story directly. Nothing bad happened. So while the problem occurred while I was viewing the IBT story in MSN News, it isn’t clear what really caused the malicious page to launch. Also went and checked the family member’s WiFi router I’m on and discovered it wasn’t up to my standards for security settings. I hardened that up.